Foundational Cybersecurity Activities for IoT Device Manufacturers^NISTIR8259^

# Foundational Cybersecurity Activities for IoT Device Manufacturers^NISTIR8259^ >>This publication is available free of charge at: :arrow_right: https://doi.org/10.6028/NIST.IR.8259 :arrow_left: ## :memo:Introduction & Purpose >This publication describes six recommended foundational cybersecurity activities that manufacturers should consider performing to improve the securability of the new IoT devices they make. >>Four of the six activities primarily impact decisions and actions performed by the manufacturer before a device is sent out for sale (pre-market), and the remaining two activities primarily impact decisions and actions performed by the manufacturer after device sale (post-market). >These foundational cybersecurity activities can help manufacturers lessen the cybersecurity related efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attack performed using compromised devices. ## Summary - IoT devices lack device capabilities that customers can use to help mitigate their cybersecurity risks. IoT device customers may have to select, implement, and manage additional or new cybersecurity controls or alter the controls they already have. Customers may not know they need to alter their existing processes to accommodate the unique characteristics of IoT. - This results in unsecure IoT devices and therefore, attackers can more easily compromise IoT devices. - IoT device manufacturers will also often need to perform actions or provide services that their customers expect and /or need to plan for and maintain the cybersecurity of the device within their systems and environments. - From this publlicaiton, IoT device manufacturers will learn how they can help IoT device customers by carefully considering which cybersecurity to design into their devices for costomers to use in managing their cybersecurity risks. >:memo:Note >This publication is intended to inform the manufacturing of new devices and not devices that are already produced or in production, although some of the information in this publication might also be applicable to such devices. ![](https://i.imgur.com/p0rUTjp.jpg) *Figure 1: Foundational Cybersecurity Activity grouped by Phase Impacted* Improving the securability of an IoT device for customers means helping customers meet their risk mitigation goals, which involves identifying and addressing a set of risk mitigation areas.Even customers without formal risk mitigation goals, such as home consumers, often have informal and indirect cybersecurity goals, like having their IoT device provide the desired functionality as expected (e.g., automatically), that are dependent to some extent on addressing risk mitigation areas. Based on an analysis of existing NIST publications such as the ***SP 800-53*** and the ***Cybersecurity Framework*** and the ***characteristics of IoT devices***, ***NISTIR 8228*** **identified the common risk mitigation areas for IoT devices as**: 1. **Asset Management** 2. **Vulnerability Management** 3. **Access Management** 4. **Data Protection** 5. **Incident Detection** Sections 3 and 4 of NISTIR 8228 discuss additional cybersecurity-related considerations that manufacturers should be mindful of when identifying the device cybersecurity capabilities IoT devices provide. Also, Tables 1 and 2 in Section 4 of NISTIR 8228 list common shortcomings in IoT device cybersecurity, explain how they can negatively impact customers, and provide the rationales for needing each capability and key element in the core baseline defined in the companion publication, NISTIR 8259A, IoT Device Cybersecurity Core Baseline Only cybersecurity risks are discussed in this publication. Readers who are interested in better understanding other types of risks and their relationship to cybersecurity may benefit from reading NIST SP 800-82 Revision 2, Guide to Industrial Control Systems(ICS) Security [8] and NIST SP 1500-201, Framework for Cyber-Physical Systems: Volume 1, Overview, Version 1.0 from the Cyber-Physical Systems Public Working Group [9]. ## Activities with Primarily Pre-Market Impact The activities are meant to be conducted in parallel with or as extensions of a manufacturer’s other pre-market activities, and they will primarily impact those other pre-market activities ### **Activity 1**: *Identify expected customers and users, and define expected use cases* > Identifying the expected customers and users, as well as the end users’ expected use cases for an IoT device early in its design is vital for determining which device cybersecurity capabilities the device should implement and how it should implement them. Manufacturers can answer questions like the following: ***Which types of people are expected customers for this device?*** (e.g., musicians, small business owners, cyclists, police officers, chefs, home builders, preschoolers, electrical engineers) ***Which types of organizations are expected customers for this device?*** (e.g., individual) home users, small retail businesses, large hospitals, energy companies with solar farms, educational institutions with buses) Another early step in IoT device design is defining expected use cases for the device based on the expected customers. ***How will the device be used?*** (e.g., for a single purpose or for multiple purposes; embedded within another device or not embedded, single user/customer or multiple users; private or commercial use) ***Where geographically will the device be used?*** (e.g., countries, jurisdictions within countries) ***What physical environments will the device be used in?*** (e.g., inside or outside;stationary or moving; public or private; movable or immovable; extreme or specific physical and weather conditions) ***How long is the device expected to be used for?*** (e.g., a few hours; several years; two decades) ***What dependencies on other systems will the device likely have?*** (e.g., requires use of a particular IoT hub; uses cloud-based third-party services for some functionality) ***How might attackers misuse and compromise the device?*** (i.e., potential pairings of threats and vulnerabilities, such as in a threat model including consideration of network connections that may provide a path to the internet that can be used as a vector of attack against other networks or devices, such as a **distributed denial of service attack**) ***What other aspects of device use might be relevant to the device’s cybersecurity risks?*** (e.g., operational characteristics of the device that may have safety, privacy, or other implications for users) ### **Activity 2**: *Research customer cybersecurity needs and goals* >Customers’ risks drive their cybersecurity needs and goals. Manufacturers can anticipate many customer cybersecurity goals, especially those based on existing cybersecurity guidance and requirements—for example, customers in a particular sector may be required by regulations to change all default passwords. ![](https://i.imgur.com/iUFMB7A.jpg) Figure 2: Connections Between IoT Device Manufacturers and Customers Around Cybersecurity Cybersecurity risks for IoT devices can be thought of in terms of two high-level risk mitigations. * The first is safeguarding the cybersecurity of the device itself — to prevent the device from being misused to negatively impact the customer or to attack other organizations, or from not providing the expected functionality for the customer. * The second is safeguarding the confidentiality, integrity, and/or availability of data (including personal information) collected by, stored on, processed by, or transmitted to or from the IoT device. manufacturers can answer the following questions for each of the expected use cases to acheive above cybersecurity: ***How will the IoT device interact with the physical world?*** The potential impact of some IoT devices impacting the physical world, either directly through actuation or indirectly through measurement, could result in *operational requirements*. For example, many safety-critical devices must continue to provide some or all functionality in the event of a cybersecurity incident, network issue, or other adverse condition. ***How will the IoT device need to be accessed, managed, and monitored by authorized people, processes, and other devices?*** 1. The methods likely to be used by device customers to manage the device are important to consider. An IoT device could support integration with common enterprise systems (e.g., asset management, vulnerability management, log management) to give customers with these systems greater control over and visibility into the device. For an IoT device expected to be used in home environments only, this capability would not be relevant; customers would expect a user-friendly way to manage their devices, or even want the manufacturer to perform all device management on their behalf (e.g., install patches automatically). An IoT device used by a small business might also be managed by a third party on behalf of the business. 2. Making a device highly configurable is generally more desirable in organization environments and less so in home customer settings. 3. Consider how accessible the device is, either logically or physically(eg., Food Vending Machine in public) 4. Consider whether the IoT device should or must have an open application programming interface (API) to support third-party integration, support, or development. 5. Consider allowing customers to disable device cybersecurity capabilities that may negatively impact operations.(eg., Deter Brute Force Attack causing DoS) 6. Consider expectations about device lifespan and how that may impact which device cybersecurity capabilities are feasible over the expected lifespan(such as Software Updates). ***What are the known cybersecurity requirements for the IoT device?*** Manufacturers can identify known requirements in their use cases, such as sector-specific cybersecurity regulations, country-specific laws, contractual obligations, or customer expectations and conventions so they can be mindful of those requirements during device capability identification. ***How might the IoT device’s use of device cybersecurity capabilities be interfered with by the device’s operational or environmental characteristics?*** For example, devices expected to be used on low bandwidth or unreliable networks might not be able to use certain device capabilities, such as secure update mechanism ***What will the nature of the IoT device’s data be?*** There is a great deal of variability in data stored by IoT devices; some devices do not store any data, while others store data that could cause significant harm if accessed or modified by unauthorized entities. Understanding this helps manufacturers identify which device cybersecurity capabilities may be needed for protecting device data such as encryption, device and user authentication, data validation, access control, and backup/restore. ***What is the degree of trust in the IoT device that customers may need?*** For example, in some contexts, additional trust that data is protected could be achieved by adding protection of data in use within the device. This would go beyond the usual goals of data protection (e.g., protecting data at rest and in transit). ***What complexities will be introduced by the IoT device interacting with other devices, systems, and environments?*** ### **Activity 3**: *Determine how to address customer needs and goals* >Manufacturers can determine how to address those needs and goals by having their IoT devices provide particular device cybersecurity capabilities in order to help customers mitigate their cybersecurity risks. To provide a starting point to use in identifying the necessary device cybersecurity capabilities, a companion publication is provided, ***NISTIR 8259A***, **IoT Device Cybersecurity Capability Core Baseline**, which is a set of device cybersecurity capabilities that customers are likely to need to achieve their goals and fulfill their needs. > which one or more of the following is a suitable means (or combination of means) to achieve the need or goal? 1. The IoT device can provide the technical means through its device cybersecurity capabilities 2. Another device related to the IoT device (e.g., an IoT gateway or hub also from the manufacturer, a third-party IoT gateway or hub) can provide the technical means on behalf of the IoT device. 3. Other systems and services that may or may not be acting on behalf of the manufacturer can provide the technical means(cloud-based service) 4. In addition to and support of technical means, non-technical means can also be provided by manufacturers(e.g., communication of lifespan and support expectations, disclosure of flaw remediation plans) 5. The customer can select and implement other technical and non-technical means for mitigating cybersecurity risks >it may take multiple technical means to achieve a goal, and a single technical means may help address multiple goals ### **Activity 4**: *Plan for adequate support of customer needs and goals* >Manufacturers can help make their IoT devices more securable by appropriately provisioning device hardware and software resources to support the desired device cybersecurity capabilities. They should also consider business resources necessary to support development and continued support of the IoT device in ways that support customer needs and goals (e.g., secure coding practices, vulnerability response and flaw remediation). ***Considering expected terms of support and lifespan, what potential future use needs to be taken into account?*** For example, if a device has a 10-year lifespan, it may be necessary to update the encryption algorithm or key length. ***Should an established IoT platform be used instead of acquiring and integrating individual hardware and software components?*** An IoT platform is a piece of IoT device hardware and/or supporting software already installed and configured. ***Should any of the device cybersecurity capabilities be hardware-based?*** An example is having a hardware root of trust that provides trusted storage for cryptographic keys and enables performing a secure boot and confirming device authenticity. ***Does the hardware or software (including the operating system) include unneeded device capabilities with cybersecurity implications? If so, can they be disabled to prevent misuse and exploitation?**** Possible approaches to this issue include offering a tamper-resistant enclosure to prevent physical access to the interfaces, and offering a configuration option that logically disables the interfaces. Manufacturers can answer questions like the following based on expected customers and use cases to help identify additional secure development practices to adopt in order to improve IoT device cybersecurity: 1. How is IoT device code protected from unauthorized access and tampering? (e.g., well-secured code repository, version control features, code signing) 2. How can customers verify hardware or software integrity for the IoT device? (e.g., hardware root of trust, code signature validation, cryptographic hash comparison) 3. What verification is done to confirm that the security of third-party software used within the IoT device meets the customers’ needs? (e.g., check for known vulnerabilities that are not yet fixed, review or analyze human-readable code, test executable code) 4. What measures are taken to minimize the vulnerabilities in released IoT device software? (e.g., follow secure coding practices, perform robust input validation, review and analyze human-readable code, test executable code, configure software to have secure settings by default, check code against known vulnerability databases) 5. What measures are taken to accept reports of possible IoT device software vulnerabilities and respond to them? (e.g., vulnerability response program, vulnerability database monitoring, threat intelligence service use, development and distribution of software updates) 6. What processes are in place to assess and prioritize the remediation of all vulnerabilities in IoT device software? (e.g., estimate remediation effort, estimate potential impact of exploitation, estimate attacker resources needed to weaponize the vulnerability) ## Activities with Primarily Post-Market Impact ### **Activity 5**: *Define approaches for communicating to customers* >Many customers will benefit from manufacturers communicating to them more clearly about cybersecurity risks involving the IoT devices the manufacturers are currently selling or have already sold. This communication could be targeted at the customer directly or others acting on the customers’ behalf, such as an internet service provider or a managed security services provider, depending on context and roles. Manufacturers can answer questions like the following to help define communication approaches: ***What terminology will the customer understand?*** ***How much information will the customer need?*** ***How/where will the information be provided?*** ***How can the integrity of the information be verified?*** ***Will customers have to communicate with you as the manufacturer?*** ### **Activity 6**: *Decide what to communicate to customers and how to communicate it* >There are many potential considerations for what information a manufacturer communicates to customers for a particular IoT product and how that information will be communicated. ***Cybersecurity Risk-Related Assumptions*** To understand how their risks might differ from the manufacturer’s expectations, some customers may benefit by knowing the cybersecurity-related assumptions the manufacturer made when designing and developing the device, such as the following: 1. Who were the expected customers? 2. How was the device intended to be used? 3. What types of environment would the device be used in? 4. How would responsibilities be shared among the manufacturer, the customer, and others? ***Support and Lifespan Expectations*** Communicating device support and lifespan expectations helps customers plan their cybersecurity risk mitigations throughout the device’s support lifecycle. To determine what information to communicate to customers, manufacturers can answer questions like the following: 1. How long do you intend to support the device? 2. When do you intend for device end-of-life to occur? What will be the process for end-of-life? 3. What functionality, if any, will the device have after support ends and at end-of-life? 4. How can customers report suspected problems with cybersecurity implications, such as software vulnerabilities, to the manufacturer? Will reports be accepted after support ends? Will reports be accepted after end-of-life? 5. How can customers maintain securability even after official support for the device has ended (e.g., when a manufacturer or third-party organization with a role in cybersecurity shuts down entirely or ends support of the device)? Will essential files or data be made available in a public forum to allow others, even the customers themselves, to continue to support the IoT device? ***Device Composition and Capabilities*** Communicating information about the device’s software, hardware, services, functions, and data types helps customers better understand and manage cybersecurity for their devices, particularly if the customer is expected to play a substantial role in managing device cybersecurity. To determine what information is important to communicate to customers, manufacturers can answer questions like the following: 1. What information do customers need on general cybersecurity-related aspects of the device, including device installation, configuration (including hardening), usage, management, maintenance, and disposal? 2. What is the potential effect on the device if the cybersecurity configuration is made more restrictive than the default? 3. What inventory-related information do customers need related to the device’s internal software, such as versions, patch status, and known vulnerabilities? Do customers need to be able to access the current inventory on demand? 4. What information do customers need about the sources of the device’s software, hardware, and services? 5. What information do customers need on the device’s operational characteristics so they can adequately secure the device? How should this information be made available? 6. What functions can the device perform? 7. What data types can the device collect? What are the identities of all parties (including the manufacturer) that can access that data? 8. What are the identities of all parties (including the manufacturer) who have access to or any degree of control over the device? ***Software Updates*** 1. Will updates be made available? If so, when will they be released? 2. Under what circumstances will updates be issued? 3. How will updates be made available or delivered? Will there be notifications when updates are available or applied? 4. Which entity (e.g., customer, manufacturer, third party) is responsible for performing updates? Or can the customer designate which entity will be responsible (e.g., automatically applied by the manufacturer)? 5. How can customers verify and authenticate updates?( cryptographic hash comparison, code signature validation, and reliance on manufacturer-provided software that automatically performs update verification and authentication) 6. What information should be communicated with each individual update?(corrections to errors, altered or new capabilities) ***Device Retirement Options*** 1. Will customers want to transfer ownership of their devices to another party? If so, what do customers need to do so their user and configuration data on the device and associated systems (e.g., cloud-based services used by the device) are not accessible by the party who assumes ownership? 2. Will customers want to render their devices inoperable? If so, how can customers do that? ***Technical and Non-Technical Means*** 1. Which technical means can be provided. By the device itself (device cybersecurity capabilities)?, by a related device?, by a manufacturer service or system? 2. Which non-technical means can be provided by the manufacturer or other organizations and services acting on behalf of the manufacturer? 3. Which technical or non-technical means should the customer provide themselves or consider providing themselves? 4. How is each of the technical and non-technical means expected to affect cybersecurity risks?